Dotdeb packages are now signed!

After many requests from several users and after many months of promise, the Dotdeb repositories are GPG-signed. Yes, you can now get rid of the annoying “WARNING: The following packages cannot be authenticated!” message!

Waiting for a dotdeb-keyring package, you just have to get the key and add it to your trusted keys’ keyring :

Joshaven Potter

I got the following error:
W: GPG error: http://php53.dotdeb.org stable Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY E9C74FEEA2098A6E
W: You may want to run apt-get update to correct these problems

vixns

Speckles

Note: if your system doesn’t have the gpg command, the package to get it is called gnupg. Since it took me several hours to figure this out, I figured I should post this here to save any fellow newbs some time.

Scott Grayban

Setting up a secure apt repository

From man apt-secure

If you want to provide archive signatures in an archive under your maintenance you have to:

* Create a toplevel Release file. if it does not exist already. You can do this by running apt-ftparchive release (provided inftp apt-utils).
* Sign it. You can do this by running gpg -abs -o Release.gpg Release.
* Publish the key fingerprint, that way your users will know what key they need to import in order to authenticate the files in the archive.

Whenever the contents of the archive changes (new packages are added or removed) the archive maintainer has to follow the first two steps previously outlined.